Skip to main content

Hacker steals at least 58 million personal records from data management firm

1129714 autosave v1 hackers22
Shutterstock
Hardly a day goes by lately when we don’t hear about a massive data breach. Whether it’s a major retail outlet like Home Depot, an electronic auction service like eBay, or an online services company like Yahoo, no matter where your personal data resides it seems wide open to malicious attack. Research shows that there have been 2,928 publicly disclosed attacks so far in 2016 involving greater than 2.2 billion records in total.

Sometimes, you know that you’re a victim of a data breach, such as when Blue Cross Blue Shield company Carefirst was hacked and over a million records were stolen. Sometimes, however, as with the recent data breach at Modern Business Solutions (MBS), you may not even be aware that the company exists, according to security firm Risk Based Security.

Related: Target data breach forces CEO out the door

MBS is a company specializing in providing in-house data management and monetization services to other companies. If you’re an MBS customer, then you probably don’t even know it, and the 58 million stolen database records could belong to just about anyone.

The hacker who perpetrated the theft is known by the Twitter handle @0x2Taylor, and apparently the stolen data was posted multiple times over the past weekend. The data was quickly removed each time, but it included complete names, IP addresses, dates of birth, email addresses, vehicle data, and occupations. In other words, the data would be incredibly helpful for conducting further, highly individualized attacks such as identity theft.

Perhaps worst, the breach was made possible due to the use of an obvious attack vector. MBS was using an open MongoDB database, and apparently all that was needed for the attack to occur was for the IP address of that database to be communicated online. Rather than informing MBS of the security issue, whoever found the database leaked it to acquaintances instead. From there, the attack was both simple and straightforward.

At this point, there’s some confusion as to the actual number of records that were released. While it’s at least 58 million, it could be as many as 258 million based on an analysis of the database involved. While research is ongoing, it’s entirely possible that we’ll never know exactly how much data was released and who was affected.

Normally we would give various recommendations about being aware of where your personal data is being stored and to respond appropriately to any notifications of a data breach. In this case, there’s not much you can do except invest in a credit and data monitoring service of some sort to make sure you’re generally protected — because you never know when you might be attacked and not even know it.

Editors' Recommendations

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
LAPD says personal data of thousands of officers nabbed in breach
ransomware

The Los Angeles Police Department (LAPD) is currently investigating a case where it is the victim.

Personal data belonging to about 2,500 LAPD officers, trainees, and recruits, along with some 17,500 police officer applicants, has been nabbed by a hacker, local news outlet NBCLA reported on Monday.

Read more
Data breach of unknown entity exposes private data of 80 million U.S. households
Stock photo of lock and data

Security researchers have recently discovered and reported an unprotected database that exposed the personal information of 80 million U.S. households to potential data security threats like identity theft.

According to PCWorld, a team of security researchers from a site known as vpnMentor discovered that the database contained unencrypted data that exposed information such as full street addresses, full names, ages, and dates of birth. Most unsettling was the fact that the data also included “exact longitude and latitude” locations for individuals. The researchers also reportedly found “coded references” to other pieces of personal information such as details on income, gender, marital status, and homeowner status. Interestingly though, the data only seems to expose the information of people ages 40 and older.

Read more
After fourth attack, hacker puts personal records of 26M people up for sale
Privacy security stock photo.

A hacker going by the name of "Gnosticplayers" is selling the personal data of 26 million people who have been using the services of six different companies from across the world. The information is up for sale on the dark web for a value of up to 1.4231 bitcoin, or around $4,940. This marks the fourth time the hacker is selling people's personal information.

According to ZDNet, the companies impacted by this hack include GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and Youthmanual. While most of these companies are not based in the United States. a noteworthy name on the list is GameSalad, a game-development platform that powers 75 games that reached the top 100 in Apple's App Store.

Read more